Moar downtime? who was playing with bots again?
-
That joke was funnier as a running gag in
that "Godzilla" movie with Matt Broderickevery Looney Tunes cartoon with Porky Pig.FTFY
-
Wonder if it's possible to poison discourse editor by using a browser that doesn't support utf8 (ie, one of the bots we have running around)
probably, actually. Sockbot uses USC2 internally (because javascript) bit talks UTF8 to the site now. it could be changed to talk ASCII and see what hilarity ensues.
NOTA BENE
I am NOT recommending or endorsing such use of my code for Sockbot, merely stating an option exists. I do NOT endorse or approve of such a use of Sockbot, but given that he is MIT licensed there's not much i can do to stop you if you choose to ignore this warning.
-
why is it only happening here
Because nowhere else users like building strange topic titles with excessive UTF-8 composing accents and such joys?
-
Wonder if it's possible to poison discourse editor by using a browser that doesn't support utf8 (ie, one of the bots we have running around)
With Firefox you can edit and resend a request. Just put some invalid bytes in the POST* data (%FF is a good candidate since this byte is always invalid in UTF-8) and send it out.
I have already tried this in various places but did not get anything except HTTP 500 errors (probably a UnicodeDecodeError, or whatever Ruby uses, being thrown when the request is handled).* Discourse uses PUT requests to send out posts, but you know what I mean
-
Because nowhere else users like building strange topic titles with excessive UTF-8 composing accents and such joys?
But so what if we do? That's no excuse for the software choking on it.
-
* Discourse uses PUT requests to send out posts, but you know what I mean
FYI, POST works too. ;-)
-
It always felt like PUT was an afterthought in the specification to me.
-
indeed. the distinction between the two is vague at best (at least in implementations, the spec is pretty clear but most implementations take PUT = POST)
-
Yup, because POST has been around so long now that not supporting it is almost more work than supporting it.
-
On the contrary, if that is the case we should be forcing a lot of poisoned data. Discourse should be doing sanitization on text formating along with everything else.
Speculation of course.
-
I uninstalled Firefox quite a while ago, it was pissing me off by removing features. But now Chrome is doing it too...
-
On the contrary, if that is the case we should be forcing a lot of poisoned data.
if you want to do that, be my guest. However, i'm not taking any responsibility for your actions and am going on record as saying that i think it is a bad idea.
av a VERY bad idea
-
On the contrary, if that is the case we should be forcing a lot of poisoned data. Discourse should be doing sanitization on text formating along with everything else.
Speculation of course.
Two words that do not live correctly in the same sentence.
-
Discoursitization?
-
Pretty sure my usage of the two words were accurate.
@accalia how else will you get your css kbd?
-
-
Pretty sure my usage of the two words were accurate.
@accalia how else will you get your css kbd?
Yes, your use of the words in themselves, that was fine. Except "Discourse" and "sanitization" are problematic in the same sentence by way of the fact that the former has little idea what the latter actually means.
-
Keyword modifiers: should be doing
Unless you're implying they shouldn't be.
-
-
No, I'm implying that they simply aren't but believe they are.
-
-
rephrase then
They know what the word is, not what it means, and certainly not the correct mindset to approach it from.
the correct mindset to approach sanitization from is: assume all input is dirty and malicious until proven otherwise, and then treat it like it was dirty and malicious anyway
-
Yes, they have some idea of what it means, as in they remove the stuff that is actually known to be harmful but they don't understand that everything else is in the 'potentially harmful' category until such time as it is discovered how to make it actually harmful.
-
in otherwords they're missing this mindset?
assume all input is dirty and malicious until proven otherwise, and then treat it like it was dirty and malicious anyway
-
They don't understand it, certainly.
-
we can agree on that!
-
the correct mindset to approach sanitization from is: assume all input is dirty and malicious until proven otherwise, and then treat it like it was dirty and malicious anyway
And since this is a forum, they should maintain this mindset for both user input, and data being retrieved from the database. That way, if their sanitization has been improved, the new methods will be applied to old posts.
-
indeed. I would tend to approach that by doing base64 encoding on pretty much any raw user fields on the way to the DB (except those i can guarantee safe because of format restrictions like dates, usernames, passwords(properly salted and hashed of course), emails, and foreign keys.
then apply what ever sanitization is appropriate on the way out of the database to the display layer.
but that's just my approach, it might not be right, it might not be the best, but it is mine.
-
I am NOT recommending or endorsing such use of my code for Sockbot, merely stating an option exists.
Given the audience to which that statement is addressed, that is a virtual invitation to try it. :)
-
i did say that i thought you shouldn't actually do it, right? i wasn't just imagining that part?
-
i did say that i thought you shouldn't actually do it, right? i wasn't just imagining that part?
Yes, you did say that. But you know that if this crowd thinks of a new way to break Discurse, we will try it.
-
Yes, they have some idea of what it means, as in they remove the stuff that is actually known to be harmful but they don't understand that everything else is in the 'potentially harmful' category until such time as it is discovered how to make it actually harmful.
OTOH, they sanitize away stuff that is harmless (although potentially annoying) like color attributes.
-
-
maybe, but i think i've said not to enough times that it will hold up in a court of law.
-
It's one of the worst features of Ruby
Yeah the string stuff is terrible, they should have just done what .NET did and made everything UTF8-16.
If this happens again and I can not figure it out I will monkey patch Ruby to find the offending strings.
-
monkey patch
ahe he he he he he he.
sorry, that phrase always makes me giggle. I know it's a legitimate thing, and often quite useful.... but that name!
-
I didn't know that was a real term so I asked Wikipedia.
"A monkey patch is a way for a program to extend or modify supporting system software locally (affecting only the running instance of the program). This process has also been termed duck punching."
WikipediaNow I can't decide if I like monkey-patch or duck punch more...
Filed Under: Decisions Decisions!
-
duck punch
PPPPPFFFFTTTTTTTTT! he he he he he.
monkey-patch
-snicker- BWA HA HA HA HA HA HA HA HA HA!
man, we geeks are bad at naming things!
-
Monkey Patch and Duck Punch both sound....depraved....
-
why do you think i'm laughing, i mean you have seen how i've acted around these forums right?
but this... is just hilarious!
-
Penis
-
why do you think i'm laughing, i mean you have seen how i've acted around these forums right?
but this... is just hilarious!
Indeed.
-
i'm sorry, was that supposed to be funny and/or attractive?
-
I didn't know that was a real term so I asked Wikipedia.
I googled it and lo and behold what was between the top results:Must have been doing something wrong ...
-
I think he just wants @Boomzilla to like his post.
-
I will monkey patch Ruby
sorry, that phrase always makes me giggle.
Yeah. I can't not read it as "I will donkey punch Ruby."
-
man we geeks are bad at naming things!
"...gate-ship one..."
"You don't get to name things any more.
-
"
There. FTFM.
-
And that 2008 Atwood blog post mentions TDWTF:
"That's why sites like The Daily WTF are guaranteed to have more material than they can possibly ever publish for the next millennia. (Note to self: invest in this website)."
-
"That's why sites like The Daily WTF are guaranteed to have more material than they can possibly ever publish for the next millennia. (Note to self: invest in this website)."
Well, it's taken 6 years, but he's invested in TDWTF. He's given it even more material by giving us Discourse.